On June 28, 2019, the German parliament (Bundestag) passed new legislation imposing several changes to the current German Federal Data Protection Act (“BDSG”). Although many of the changes addressed privacy aspects of criminal proceedings, the new legislation makes an important change for small companies by increasing the threshold to designate a Data Protection Officer (“DPO”). Whereas currently companies have to designate a DPO if they constantly employ at least 10 employees who deal with the automated processing of personal data, the new legislation increases the minimum number of employees from 10 to 20, significantly decreasing the financial and administrative burden for small companies doing business in Germany. This article explains the changes and their impact and explains what companies should do.
Dr. Christian Schröder heads Orrick's IP/IT & Data Privacy Practice Group in Germany in Orrick’s Düsseldorf Office. Christian advises medium sized (Mittelstand) companies to large multinationals on IP, Unfair and Deceptive Trade Practices, E-Commerce, IT and Data Privacy/Data Protection.
He is listed in Germany's leading lawyer ranking magazine JUVE as frequently recommended data privacy expert and clients recommend him to JUVE for his "reliable and actionable advice". Christian and his practice are also ranked by The Legal 500 Germany and The Legal 500 EMEA as well as Germany’s business journals WiWo and Handelsblatt for being among the leading German and European IT and data privacy practices (2019 and 2020), clients referred to him and his team as "Top data privacy expert", "extremely knowledgeable", and "able to explain complex legal issues in an easily understandable way so that both legal and economic decisions can be made". Christian Schröder is recommended for his "data protection expertise and quick comprehension as well as his entrepreneurial acumen."
Christian provides IP/IT advice in M&A transactions and advises on IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues as well as on hard and software license and IT project agreements.
As a core member of Orrick's global Cyber, Privacy & Data Innovation practice, Christian has a special focus on data privacy/data protection matters. In particular, Christian advises on privacy compliance programs, a risk-based approach to privacy, on implementing databases and new software applications, in particular, cloud based solutions. He advises on IT and data privacy contracts, internal data privacy policies, binding corporate rules, user agreements on BYOD, whistleblowing schemes, e-discovery, security breaches, and intra-group data sharing on a national and international basis. Christian regularly represents market leading clients in IT and data privacy contract negotiations and regularly defends companies against unfair access to their know-how by competitors and against unfair poaching of customers and employees.
Posts by: Christian Schröder
The Bavarian Data Protection Authority (“BDPA”) took the “safer internet day” in February 2019 as an opportunity to conduct privacy checks on website operators. The focus was on “cybersecurity” (in particular, password security) and “tracking” and the outcome is rather disillusioning, according to the BDPA. The BDPA stated that necessary security measures were not implemented and none of the cookie banners obtained valid consent. The BDPA announced it would conduct further checks via written procedures or even by on-site inspections to validate the quick check results and assess whether further actions must be taken. In those cases where the BDPA is not competent, the BDPA will consider reaching out to competent lead supervisory authorities where necessary so that they can provide their insights. READ MORE
The EU-Japan Economic Partnership Agreement between Japan and the European Union (“EU”) recently came into force, creating the world’s biggest open trading zone that covers 635 million people and almost one-third of the world’s total GDP. In the shadow of that agreement, however, another development—the mutual acknowledgment of data protection standards—took place, which should not be overlooked because it sets another world record. On January 23, 2019, the European Commission adopted its adequacy decision on Japan, acknowledging that Japan provides for an adequate level of data protection. Similarly, effective January 23, 2019, the Japanese independent data protection authority, the Personal Information Protection Commission (“PPC”), has also designated countries within the European Economic Area as having an equivalent level of data protection. This mutual acknowledgement created what is being referred to as the “largest area of safe data transfer” in the world.
These developments have important benefits for companies transferring data from the EU to Japan and vice versa, reducing burdens and giving companies greater access to customers. Below, we discuss the developments and describe what companies should consider in the future. READ MORE
On January 21, 2019, the French data protection supervisory authority (“CNIL”) fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation (“GDPR”). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms. READ MORE
In November, the German Data Protection Conference (committee of the independent German federal and state data protection supervisory authorities) (“DSK”) published a guidance on the processing of personal data for direct marketing purposes under the GDPR. This guidance finally brings some light into the darkness of marketing under the GDPR. READ MORE
(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)
With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.
Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law. READ MORE
Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE
January 10, 2017 marked another important step towards reform of the EU data protection framework, with the release of the EU Commission’s proposals for a new Regulation governing privacy and electronic communications.
The main aims of the draft Regulation are to update the ePrivacy Directive to reflect new technologies and to better align it with GDPR. In addition to taking effect on the same day as the GDPR (25th May, 2018), penalties for non-compliance envisaged by the draft Regulation are the same as the GDPR, (i.e. potentially fines of €20m or 4% of annual global turnover, whichever is higher).
Companies required to appoint a data protection officer (“DPO” ) in Europe should carefully consider which candidate is best to select for the job. A company established in Bavaria, Germany, was recently fined by the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht, “BayLDA“) for appointing a DPO who at the same time held an operational position as an IT manager. The appointment was deemed to create a conflict of interests between the two functions. This decision could potentially influence the interpretation of the upcoming EU General Data Protection Regulation (“GDPR“) and thus influence the appointment of DPOs by international companies.
According to a press release of the Data Protection Supervisory Authority in the Land Mecklenburg Vorpommern of November 3, German supervisory authorities have randomly selected 500 companies in Germany and sent them requests for information on their international data transfers. The German supervisory authorities are undertaking this coordinated action in order to increase awareness among companies of the need to ensure data privacy compliance of international data transfers.